Web-exposed MongoDB installs wiped by bitcoin ransoming script scum Some 2,000 MongoDB installations have been compromised by an attacker demanding administrators pay 0.2 bitcoins (US$206) to have lost data returned. Victor Gevers (@0xDUDE), penetration tester and chairman of the GDI.foundation, noticed the attacks while reporting exposed non-password-protected MongoDB installations to owners …
This post has been deleted by its author
"Where the 'sa' god-mode account had a default blank password on install."
The sa account is disabled by the default install settings though. And when you enable it, by default your password policy is enforced which means that you can't set a blank password without deliberately overriding that.
(Using the current versions of Windows Server + SQL Server has given the lowest total CVE vulnerabilities of OS + Database software of any major competitor for every one of the last 10 years!)
"Thats why I used the words 'had' and 'lessons of history'. Clearly you have zero knowledge of previous SQL versions."
This has been the case since at least SQL Server 2000. Back in those days, lots of things had blank or standard password by default, so hardly a lesson specific to SQL Server....
Just checked out the MongoDB site. Everything about it says "for the basic user". It is specifically noted "Leave the Ops to Us" in one of the text boxes.
Based on this, I am not surprised that so many instances were not properly configured. The subscribing customers left the Ops to them, and the Ops failed to do their job thoroughly.
Seems like we're going to have to slog through another decade of ignoring security until it bites back before people generally get the notion that security IS NOT an afterthought.
should have some form of linux admin skills and ask questions like how is this firewalled, what ports are open or ip address limited? or even be able to check the version number.
Controversial opinion, but if harak1k1 does restore the db's then $200 for a company to know that their DBA has a limited skill set is a lot less money than a full security audit.
"security search engine Shodan" Shodan is ANTI-security.
Shodan is used by hackers for criminal activity, and should be shut down.
It is the #1 source for perverts to find open web cams.
It is used to try and break into companies. Their false claim that they just scan the net is BS, as I saw port scans from them nearly every day for 3 years on our institutions firewalls.
Would not having it make a difference? Network scans aren't hard to do and they've existed a lot longer than Shodan.
Is a web cam secure because it's not listen on some web site that it's not? Is a MongoDB install secure because it's not listed?
Maybe not having Shodan would restrict some of the lowest level bottom feeders who don't actually have the capacity to do any of this themselves, but a better solution would be just to secure your shit.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
